Description
Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LoginPress Pro plugin, up to version 6.2.2, contains a flaw that permits an unauthenticated attacker to elevate privileges within a WordPress site. This issue is classified as a privilege escalation vulnerability (CWE-266) and is rated with a CVSS score of 9.8, indicating a high likelihood of severe damage if exploited. In practice, an attacker could gain administrative access or modify site settings without needing valid credentials.

Affected Systems

WordPress sites running the LoginPress Pro plugin version 6.2.2 or earlier are affected. The vulnerability applies to all installations of the LoginPress Pro plugin for WordPress where the plugin has not been updated to at least version 6.2.3. Hosts must verify the plugin version and check for any custom configurations that might expose the plugin to the web.

Risk and Exploitability

The CVSS score of 9.8 signals a critical threat level, while the EPSS score is currently not available, indicating that no publicly disclosed exploitation frequency is recorded yet. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is sending unauthenticated HTTP requests to the affected WordPress instance, potentially using automated scripts to locate the vulnerable plugin endpoint. Because no authentication is required, the attack window is wide and could affect any visible site that has the plugin installed.

Generated by OpenCVE AI on June 18, 2026 at 14:02 UTC.

Remediation

Vendor Solution

Update the WordPress LoginPress Pro Plugin to the latest available version (at least 6.2.3).


OpenCVE Recommended Actions

  • Update the LoginPress Pro plugin to version 6.2.3 or later.
  • If an immediate update is not possible, disable the plugin or block access to its pages until the fix is applied.
  • Audit user accounts and reset administrative passwords to eliminate any potential impersonation.
  • Monitor WordPress logs for unexpected privilege escalation activity and consider enabling web application firewall rules targeting known plugin paths.

Generated by OpenCVE AI on June 18, 2026 at 14:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Loginpress
Loginpress loginpress Pro
Wordpress
Wordpress wordpress
Vendors & Products Loginpress
Loginpress loginpress Pro
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.
Title WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Loginpress Loginpress Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:19:32.756Z

Reserved: 2026-05-27T10:26:36.700Z

Link: CVE-2026-49058

cve-icon Vulnrichment

Updated: 2026-06-17T12:19:27.721Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:02Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment